On 06/07/2016 06:46 PM, Eric S. Raymond wrote:
Mike <bellyac...@gmail.com>:
On 06/07/2016 05:57 PM, Hal Murray wrote:
Ntpd is running as user nobody, whom can't write to that directory.
Hopefully that is user ntp rather than nobody.
The file permissions need to be setup for log files as well as the drift file.
The HOWTO setsup ntpd to run as nobody:nogroup.
The logfile set to /var/log/ntpd.log is root:root. I'm not getting errors
there, gathering that it was opened before privileges were dropped.
OK, this permissions issue was next on my list of things to fix today,
but you have just confounded my plans.
I thought I was going to have to tweak clockmaker to create an ntp
user and group if it doesn't already exist, then set ntp to run with
those IDs in the init script. That's easy enough to do.
You are suggesting that this is not so - that as long as we open log files
before privilege-dropping the ntp user/group pair isn't necessary at all.
If true I would mildly prefer to do things that way, it's simpler.
Input from those with operational experience, please. What are the pros
and cons here?
I've always run as ntp:ntp. I've never had a publicly exposed server
though, only work/home consumption to keep local lan clocks mostly sane.
I will say that this thread has gone further than what I initially
started above. I was simply pointing out that /var/lib/ntp/ntp.drift
was unable to be written to as setup by the HOWTO. There is no logging
or stats enabled in that file...
Mike
_______________________________________________
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
